Passwords and PINs are notoriously difficult to remember. But it just so happens that we're exceptionally good at remembering distinct faces — a psychological quirk that security experts now say could be the next big thing in authentication.

It's called Facelock, a password alternative that plays to the strengths of human memory. Developed by researchers from the University of York in the UK, it could put an end to forgotten passwords while remaining secure. But early results show there's still work to be done.

Locking the System

Research suggests that while people can recognize many different photographs of the same person, unfamiliar faces are more difficult to match. The system works by only granting access to anyone who can demonstrate recognition of the faces across a series of images, and deny access to anyone who cannot.

To configure Facelock, users select a set of faces that are well known to them, but are not well known to others. This can be a distant relative or an obscure athlete. So, by choosing faces from across a user's domains of familiarity, the researchers were able to create a set of images that were known only to that user. Knowing all the faces is the "key" that allows for authentication.

Users are typically confronted with about five challenge grids during the authentication procedure. Obviously, adding more would increase security, but decrease log-in efficiency. That said, users typically matched faces in about 200 milliseconds — which is pretty damned fast.

Testing the System

When testing the reliability of the system, the researchers found that account holders could authenticate easily by detecting familiar faces among other faces at a rate of 97.5%, even after a one-year delay (86% success rate). Those trying to breach the system (i.e., zero-acquaintance attackers) were reduced to guessing, achieving a success rate of 0.9%.

A typical challenge grid. You can easily see how, if you don't recognize a face, you're pretty much left to guessing.

"Pretending to know a face that you don't know is like pretending to know a language that you don't know — it just doesn't work," noted lead author Rob Jenkins in a statement. "The only system that can reliably recognize faces is a human who is familiar with the faces concerned."

Interestingly, personal attackers who knew the account holder were rarely able to authenticate, achieving a 6.6% success rate. Which, to be fair, is unacceptably high.

The researchers also found that shoulder-surfing attacks by strangers could be defeated by presenting different photos of the same target faces in observed and attacked grids, resulting in a 1.9% success rate.

"Our findings suggest that the contrast between familiar and unfamiliar face recognition may be useful for developers of graphical authentication systems," conclude the authors in their study, which now appears in PeerJ.

Flimsy?

Personally, while promising, I think this system could use a bit of work. According to their own data, zero-acquaintance attackers should be able to breach the system after every 100 blind attempts. What's more, with the 6.6% success rate for acquaintances, Facelock cannot be considered a professional system.

To their credit, the authors go over the limitations:

First, the lock is vulnerable to an attacker who, like the account holder, knows the target faces. This was evident in Study 1, in which attackers who were closest acquaintances of the account holders correctly guessed more targets than attackers who were less close acquaintances. This vulnerability underscores the importance of appropriate target selection. One way for a secret holder to minimise risk would be to maintain a large pool of target faces, and to sample these from disparate fields of interest, so that no single attacker knows enough targets to authenticate.

A second limitation is that attackers may be able to match different images of targets whose appearance is both distinctive (e.g., bald head and round glasses), and stable (i.e., similar appearance in all photos). This was seen in Study 2, where one lock that contained highly distinctive faces could be compromised in a shoulder-surfing attack. For similar reasons, target distinctiveness may be a concern whenever an account holder's targets are all drawn from a single ethnic group or age band. These risks could be reduced by avoiding highly distinctive faces, and by avoiding similar images of any particular target.

So, with some refinement, this system could be workable. One idea is to make the grid more homogenous (i.e. organizing by type), thus making image matching far more difficult for attackers. And as noted, more challenges per log-in session would surely increase security.